CVE-2023-50714

Name of the Vulnerable Software and Affected Versions yii2-authclient versions prior to 2.2.15

Description The Oauth2 PKCE implementation in yii2-authclient is vulnerable in two ways. First, the authCodeVerifier should be removed after usage, similar to authState. Second, there is a risk for a downgrade attack if PKCE is being relied on for CSRF protection.

Recommendations For versions prior to 2.2.15, update to version 2.2.15 to resolve the issue. As a temporary workaround, consider removing the authCodeVerifier after usage and avoid relying on PKCE for CSRF protection until a patch is applied.